I see that for a number of pages, such as login pages, Geekzone has https enabled. Now that Chrome and Firefox are applying stricter controls to pages, is Geekzone going to go full https? I thought I had seen somewhere I could use https, but https://www.geekzone.co.nz just redirects back to http.

For most pages everything seems OK, but now clicking in to a thread generates an https warning in the URL bar:

This is Firefox 51 just updated today. Chrome 56 is still giving the grey circle of indifference.

It's not a "Warning" per se but a status. The page is not encrypted so the browser just reflects that. A "Warning" would be an encrypted page that has been compromised (MITM attack, invalid certificated, mixed content, etc).

Even our non-encrypted pages have content served over HTTPS (images, CSS and scripts) and the main reason is speed. All those elements are served using HTTP/2 and this gives a speed boost. Also we do serve encrypted pages (login, messages, profile, gallery) and the reasons are obvious.

I'd like to serve the whole site over HTTPS but there are (as mentioned) two reasons why this is not possible at the moment: advertising and mixed content.

One network we use is not able to provide HTTPS yet. Dropping this network would mean big cut in revenue so we keep pushing them to have this added.

Mixed content is another area that involves a lot of "training". It seems people rather post images from third party sites (sometimes their own servers) instead of uploading to Geekzone (where the images are available as HTTPS). These third-party images will not appear on encrypted pages if not served over HTTPS themselves. We could block these images from being added to messages but hey...

I am more interested in how others are looking to handle the transition to https everywhere as Google, Mozilla and I believe even Microsoft start to enforce it by upgrading their browser warnings for plain http sites. Browsers have been training people to not trust sites that have red in the URL bar and soon there is going to be a whole lot more red showing up even if the page doesn't need https security.

@timmay, it isn't the login page I have an issue with, that appears as secure. It is when I click into a thread I see the warning in firefox 51.

Are you accessing this from your work? At my work they have SSL inspection enabled which generates errors on Chrome with Geekzone and other SSL enabled sites - try going to https://murfy.nz to see if this is the case (as it uses the same Cloudflare SSL certificate).

IMO, it is more about these big companies trying to force standards. Using a secure certificate often has additional costs, eg. some servers require dedicated IPs for secure certs, and to convert some websites to https could be a major expensive job.

In many cases there is no need for HTTPS anyway - take the MetService site as an example. Weather data is hardly a secret!

IMO the bigger problem is websites that use old versions of CMS like wordpress, which have security holes. I wonder how long it will be before a warming in the browser will appear for people who visit a wordpress website running an old version? I notice that some websites detect when using an old version of Chrome of firefox, although they often incorrectly detect the wrong version, and I am actually using the latest version.